Last updated Feb 4, 2021

Cloud shared responsibility model (SRM)

The security posture and compliance profile of Atlassian cloud apps is a shared responsibility between you (the app developer) and Atlassian. As an app developer, understanding your role in these responsibilities is essential to ensure the secure use of the Atlassian platform and APIs.

The exact division of responsibilities differs, depending on the platform your app is built upon either Forge, Connect, or OAuth 2.0 (3LO) integration. These responsibilities include requirements relating to security controls, logging, monitoring, and other elements of app security that help to ensure the protection of our shared users.

Firstly, make sure you have read and are adhering to the Developer terms and Marketplace partner agreement. Then verify that each of your apps meets the guidelines in the shared responsibility model. By doing so, you'll adopt best practices and protect your app from common vulnerabilities.

If you need help or have any questions about the model, the Atlassian Ecosystem team is here to help you be successful. Create a post on, and you'll find both Atlassian team members and the friendly developer community available to provide guidance.

Division of responsibilities

This table highlights the division of responsibilities between Connect, Forge, and OAuth 2.0 (3LO) apps.

ResponsibilityAtlassian ConnectForgeOAuth 2.0 (3LO)
App elementsYouYou and AtlassianYou
Operational elementsYou and AtlassianYou and AtlassianYou
Security featuresYouAtlassianYou

App elements

App elements describes all the technical aspects of an app, such as:

  • authentication and authorization of users or API requests
  • input validation and output encoding
  • app logic
  • the framework used to integrate with Atlassian (e.g. Atlassian Connect Express)
  • data storage
  • tenant safety

Operational elements

Aspects around running and operating the app, such as:

Security features

Security features for apps limited to:

  • user identity and access management (IAM)
  • denial-of-service (DoS) protection
  • abuse prevention via platform limits

Next steps

For more detail, see the appropriate SRM page for your app:

Rate this page: